How To Do A HIPAA Risk Assessment – Part 2

The Office of Civil Rights (OCR) is performing more and more HIPAA audits. How can you avoid getting hit with severe penalties from the government? The best way is to perform a complete HIPAA Risk Assessment, and to follow through with training and implementation.

Find out how to get compliant, and stay compliant in this multi-part series.  (To get this multi-part series delivered to your inbox CLICK HERE)

Now that you know what a HIPAA Risk Assessment is, let’s start with the basics.

To get compliant and avoid substantial fines, you need to know where your protected health information (PHI) is stored, accessed, transmitted and used.

To do this, it is imperative to create a complete inventory of devices at your practice. The OCR will require this inventory if your practice is audited.

Inventories are especially important if your staff is able to access PHI on mobile devices, such as laptops, tablets and cell phones.

What should be included in your inventory?

An inventory should be a comprehensive list of  all hardware used, or that could potentially be used, to access, store or transmit PHI. For each device, the HIPAA Privacy and Security Officers should keep a list of the:

  1. Name of the employee(s) using the device;
  2. Type of the device;
  3. Make of the device;
  4. Model of the device;
  5. Serial number of the device; and
  6. Mobile Equipment Identifier (MEID) of the device, if applicable.

All hardware needs to be inventoried.

This includes: computers, laptops, printers, copiers, fax machines, cell phones, cameras, storage devices, tablets, etc.

And remember, once isn’t enough...

Inventories must be updated regularly, and policies need to be in place that require staff members to report any and all new devices to the your HIPAA Privacy and Security Officers.

If a staff member leaves your organization, there must be verification that all computer equipment, software and mobile electronic devices have been returned to avoid potential breaches and OCR fines.

In our next blog post, we will continue this series on HIPAA Risk Assessments.  To get this important series delivered directly to your mail box, click here to Subscribe

Do you need help with your HIPAA Risk Assessment?  We can help. To contact us about your risk assessment or your other legal needs:  CLICK HERE.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.